RE: Unusual logcheck entry
> > Am I now protected from this attack? (note rpc.stat lines below) > > You were anyway; this never affected FreeBSD. Sorry, I mis-spoke. What I should have said is, "Am I now protected from rpc attacks?" > However, I'd also add portmap_flags="-h 192.168.254.2" to your rc.conf Done. :-) > if I were you. I'd also reconsider the decision not to run a > firewall. I may move that machine inside the hardware firewall. The reason it's outside concerns the ftp server and PASV. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Unusual logcheck entry
On Thu, Oct 09, 2003 at 07:16:45AM -0500, Charles Howse wrote: > > On Thu, Oct 09, 2003 at 05:43:31AM -0500, Charles Howse wrote: > > > The following appeared in /var/log/messages in my daily > > logcheck report: > > > > > > Oct 8 20:38:47 curly rpc.statd: invalid hostname to sm_stat: > > > > > ^X???^X???^Z???^Z???%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%5185 > > 9x%hnM-^PM > > > At that time, I was sitting on the couch watching the Cubs play the > > > Marlins. > > > Any idea what this means? > > > > This is an attempt to exploit an old Linux rpc.statd > > vulnerability..see the mailing list archives for extensive discussion > > a few years ago. > > OK, I got some good info from the archives. > I realize this is a harmless attack if running FBSD. > I also realize that I shouldn't be running rpc on an interface facing > the internet. > For various reasons, this server is outside my hardware firewall, and > I'm not interested in configuring a software firewall. > Correct me if I'm wrong, but it looks to me like rpc.statd is related > (at least) to NFS. > I've placed the line "nfs_server_flags="-h 192.168.254.2" in my > /etc/rc.conf, and rebooted. > I've also edited /etc/ssh/sshd_config, and told it to listen only on > 192.168.254.2, and not allow root logins. > Am I now protected from this attack? (note rpc.stat lines below) You were anyway; this never affected FreeBSD. However, I'd also add portmap_flags="-h 192.168.254.2" to your rc.conf if I were you. I'd also reconsider the decision not to run a firewall. Ceri -- pgp0.pgp Description: PGP signature
RE: Unusual logcheck entry
> On Thu, Oct 09, 2003 at 05:43:31AM -0500, Charles Howse wrote: > > The following appeared in /var/log/messages in my daily > logcheck report: > > > > Oct 8 20:38:47 curly rpc.statd: invalid hostname to sm_stat: > > > ^X???^X???^Z???^Z???%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%5185 > 9x%hnM-^PM > > > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > > > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > > > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > > > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > > > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > > > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > > > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > > > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > > > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > > > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > > > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > > > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^ > PM-^PM-^PM > > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > > Oct 8 20:38:47 curly /kernel: -^PM-^PM-^P > > > > At that time, I was sitting on the couch watching the Cubs play the > > Marlins. > > Any idea what this means? > > This is an attempt to exploit an old Linux rpc.statd > vulnerability..see the mailing list archives for extensive discussion > a few years ago. OK, I got some good info from the archives. I realize this is a harmless attack if running FBSD. I also realize that I shouldn't be running rpc on an interface facing the internet. For various reasons, this server is outside my hardware firewall, and I'm not interested in configuring a software firewall. Correct me if I'm wrong, but it looks to me like rpc.statd is related (at least) to NFS. I've placed the line "nfs_server_flags="-h 192.168.254.2" in my /etc/rc.conf, and rebooted. I've also edited /etc/ssh/sshd_config, and told it to listen only on 192.168.254.2, and not allow root logins. Am I now protected from this attack? (note rpc.stat lines below) [EMAIL PROTECTED] ~]# sockstat -4 USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS charles sshd 1944 tcp4 192.168.254.2:22 192.168.254.4:4341 root sshd 1924 tcp4 192.168.254.2:22 192.168.254.4:4341 root nmbd 1646 udp4 *:137 *:* root nmbd 1647 udp4 *:138 *:* root nmbd 1648 udp4 192.168.254.2:137 *:* root nmbd 1649 udp4 192.168.254.2:138 *:* root smbd 162 12 tcp4 *:445 *:* root smbd 162 13 tcp4 *:139 *:* root sendmail 1164 tcp4 127.0.0.1:25 *:* root sshd 1133 tcp4 192.168.254.2:22 *:* root inetd 1094 tcp4 *:21 *:* root inetd 1095 tcp4 *:110 *:* root rpc.stat953 udp4 *:1013*:* root rpc.stat954 tcp4 *:1022*:* root mountd 873 udp4 *:1023*:* root mountd 874 tcp4 *:1023*:* daemon portmap 853 udp4 *:111 *:* daemon portmap 854 tcp4 *:111 *:* root syslogd 815 udp4 *:514 *:* [EMAIL PROTECTED] ~]# cat /etc/rc.conf # -- sysinstall generated deltas -- # Mon Sep 22 08:28:22 2003 # Created: Mon Sep 22 08:28:22 2003 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. defaultrouter="192.168.254.254" hostname="curly.howse.no-ip.org" ifconfig_tx0="inet 192.168.254.2 netmask 255.255.255.0" kern_securelevel_enable="NO" moused_enable="NO" moused_type="NO" nfs_server_enable="YES" nfs_server_flags="-h 192.168.254.2" portmap_enable="YES" mountd_flags="-l" nfs_client_enable="YES" saver="daemon" sendmail_enable="NO" sshd_enable="YES" usbd_enable="NO" ntpdate_enable="YES" ntpdate_flags="time.nist.gov" xntpdate_enable="YES" syslogd_enable="YES" syslog_flags="-ss" clear_tmp_enable="YES" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Unusual logcheck entry
On Thu, Oct 09, 2003 at 05:43:31AM -0500, Charles Howse wrote: > The following appeared in /var/log/messages in my daily logcheck report: > > Oct 8 20:38:47 curly rpc.statd: invalid hostname to sm_stat: > ^X???^X???^Z???^Z???%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hnM-^PM > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM > -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > Oct 8 20:38:47 curly /kernel: -^PM-^PM-^P > > At that time, I was sitting on the couch watching the Cubs play the > Marlins. > Any idea what this means? This is an attempt to exploit an old Linux rpc.statd vulnerability..see the mailing list archives for extensive discussion a few years ago. Kris pgp0.pgp Description: PGP signature
